fix(siwe): normalize Ethereum address to lowercase to prevent duplicate identities

mastermanas805 · mastermanas805 · commit 16faddb75494 · 2026-04-26T10:35:24.000+05:30
Ethereum addresses are protocol-level case-insensitive: 0xABC... and 0xabc... refer to the same wallet. EIP-55 mixed-case is a visual checksum, not a distinct identifier. Before this change, internal/utilities/siwe/parser.go stored the address verbatim from the SIWE message body. internal/api/web3.go then composed the identity provider_id directly from that string, and models.FindIdentityByIdAndProvider does case-sensitive equality on provider_id. The result: the same wallet signing in with different case variants of its address produced two distinct auth.identities rows pointing to two separate users. Fixes #2264. The fix is a single strings.ToLower call at parser entry, immediately after the address pattern matches. Normalizing at the parser layer gives every caller a single canonical form with no extra knowledge required, and matches the existing email lowercase-normalization precedent in internal/models/identity.go (BeforeUpdate). VerifySignature already used strings.EqualFold, so signature recovery is unaffected. Scope is intentionally limited to SIWE (Ethereum). The SIWS (Solana) parser is left untouched: Solana addresses are base58, which is case-sensitive, and lowercasing them would corrupt valid addresses. Operational note: this fix prevents NEW duplicate identities. Existing rows with mixed-case provider_id values are not migrated by this patch; operators who have already accumulated duplicates will need a separate backfill that lowercases auth.identities.provider_id for provider='ethereum' rows and merges the resulting collisions. Flagged as out of scope here. Signed-off-by: Manas Srivastava <mastermanas805@gmail.com>
diff --git a/internal/utilities/siwe/parser.go b/internal/utilities/siwe/parser.go
@@ -57,6 +57,16 @@ func ParseMessage(raw string) (*SIWEMessage, error) {
 		return nil, ErrInvalidAddress
 	}
 
+	// Ethereum addresses are protocol-level case-insensitive: 0xABC... and
+	// 0xabc... are the same wallet. EIP-55 mixed-case is a visual checksum,
+	// not a distinct identifier. We normalize to lowercase here so callers
+	// (notably web3GrantEthereum, which uses Address as part of the
+	// identity provider_id) see a single canonical form and the same
+	// wallet cannot create duplicate auth.identities rows by signing in
+	// with different case variants. See issue #2264. This mirrors the
+	// existing email lowercase-normalization in models.Identity.BeforeUpdate.
+	address = strings.ToLower(address)
+
 	msg := &SIWEMessage{
 		Raw:     raw,
 		Domain:  domain,
diff --git a/internal/utilities/siwe/parser_test.go b/internal/utilities/siwe/parser_test.go
@@ -116,7 +116,10 @@ func TestParseMessage(t *testing.T) {
 
 			require.Nil(t, err)
 			require.Equal(t, "example.com", parsed.Domain)
-			require.Equal(t, "0x196a28d05bA75C8dC35B0F6e71DD622D1aC82b7E", parsed.Address)
+			// Address is normalized to lowercase regardless of input casing.
+			// Ethereum addresses are protocol-level case-insensitive; EIP-55
+			// mixed-case is a visual checksum, not a distinct identifier.
+			require.Equal(t, "0x196a28d05ba75c8dc35b0f6e71dd622d1ac82b7e", parsed.Address)
 
 			if i == 0 {
 				require.Equal(t, "Sign in to Example App", *parsed.Statement)
@@ -134,3 +137,49 @@ func TestParseMessage(t *testing.T) {
 		})
 	}
 }
+
+// TestParseMessageAddressNormalization asserts that ParseMessage lowercases
+// the Ethereum address regardless of the input casing. Ethereum addresses
+// are protocol-level case-insensitive (EIP-55 mixed-case is a visual checksum
+// only), so storing them verbatim allowed the same wallet signing in with
+// different casings to create duplicate auth.identities rows. See #2264.
+func TestParseMessageAddressNormalization(t *testing.T) {
+	const lowerAddress = "0x196a28d05ba75c8dc35b0f6e71dd622d1ac82b7e"
+	const upperHexAddress = "0x196A28D05BA75C8DC35B0F6E71DD622D1AC82B7E"
+	const checksumAddress = "0x196a28d05bA75C8dC35B0F6e71DD622D1aC82b7E"
+
+	makeMessage := func(addr string) string {
+		return "example.com wants you to sign in with your Ethereum account:\n" +
+			addr +
+			"\n\nURI: https://example.com\nVersion: 1\nChain ID: 1\nNonce: 12345678\nIssued At: 2025-01-01T00:00:00.000Z"
+	}
+
+	cases := []struct {
+		name  string
+		input string
+	}{
+		{name: "lowercase", input: lowerAddress},
+		{name: "uppercase hex", input: upperHexAddress},
+		{name: "EIP-55 checksum mixed case", input: checksumAddress},
+	}
+
+	parsedAddresses := make([]string, 0, len(cases))
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			parsed, err := ParseMessage(makeMessage(tc.input))
+			require.Nil(t, err)
+			require.Equal(t, lowerAddress, parsed.Address,
+				"parser must lowercase Ethereum address so case-variant sign-ins do not create duplicate identities")
+		})
+		// Re-parse outside the subtest to collect for the equality assertion below.
+		parsed, err := ParseMessage(makeMessage(tc.input))
+		require.Nil(t, err)
+		parsedAddresses = append(parsedAddresses, parsed.Address)
+	}
+
+	// All case variants of the same wallet must yield the exact same Address.
+	for i := 1; i < len(parsedAddresses); i++ {
+		require.Equal(t, parsedAddresses[0], parsedAddresses[i],
+			"all case variants of the same Ethereum address must parse to the same value")
+	}
+}
